Merge pull request #633 from IABTechLab/ccm-UID2-3590-call-check-token-input-cstg

Respond with 400 instead of 500 when CSTG request validation fails

Author: caroline-ttd

src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java

@@ -453,6 +453,10 @@ else if(emailHash != null) {
             input = InputUtil.normalizePhoneHash(phoneHash);
         }
 
+        if (!checkForInvalidTokenInput(input, rc)) {
+            return;
+        }
+
         PrivacyBits privacyBits = new PrivacyBits();
         privacyBits.setLegacyBit();
         privacyBits.setClientSideTokenGenerate();
@@ -893,7 +897,7 @@ private void handleTokenRefreshV2(RoutingContext rc) {
     private void handleTokenValidateV1(RoutingContext rc) {
         try {
             final InputUtil.InputVal input = this.phoneSupport ? getTokenInputV1(rc) : getTokenInput(rc);
-            if (this.phoneSupport ? !checkTokenInputV1(input, rc) : !checkTokenInput(input, rc)) {
+            if (!checkForInvalidTokenInput(input, rc)) {
                 return;
             }
             if ((Arrays.equals(ValidateIdentityForEmailHash, input.getIdentityInput()) && input.getIdentityType() == IdentityType.Email)
@@ -924,7 +928,7 @@ private void handleTokenValidateV2(RoutingContext rc) {
             final JsonObject req = (JsonObject) rc.data().get("request");
 
             final InputUtil.InputVal input = getTokenInputV2(req);
-            if (this.phoneSupport ? !checkTokenInputV1(input, rc) : !checkTokenInput(input, rc)) {
+            if (!checkForInvalidTokenInput(input, rc)) {
                 return;
             }
             if ((input.getIdentityType() == IdentityType.Email && Arrays.equals(ValidateIdentityForEmailHash, input.getIdentityInput()))
@@ -956,7 +960,7 @@ private void handleTokenGenerateV1(RoutingContext rc) {
         try {
             final InputUtil.InputVal input = this.phoneSupport ? this.getTokenInputV1(rc) : this.getTokenInput(rc);
             platformType = getPlatformType(rc);
-            if (this.phoneSupport ? !checkTokenInputV1(input, rc) : !checkTokenInput(input, rc)) {
+            if (!checkForInvalidTokenInput(input, rc)) {
                 return;
             } else {
                 final IdentityTokens t = this.idService.generateIdentity(
@@ -983,7 +987,7 @@ private void handleTokenGenerateV2(RoutingContext rc) {
             platformType = getPlatformType(rc);
 
             final InputUtil.InputVal input = this.getTokenInputV2(req);
-            if (this.phoneSupport ? !checkTokenInputV1(input, rc) : !checkTokenInput(input, rc)) {
+            if (!checkForInvalidTokenInput(input, rc)) {
                 return;
             } else {
                 final String apiContact = getApiContact(rc);
@@ -1258,7 +1262,7 @@ private void handleBucketsV2(RoutingContext rc) {
 
     private void handleIdentityMapV1(RoutingContext rc) {
         final InputUtil.InputVal input = this.phoneSupport ? this.getTokenInputV1(rc) : this.getTokenInput(rc);
-        if (this.phoneSupport ? !checkTokenInputV1(input, rc) : !checkTokenInput(input, rc)) {
+        if (!checkForInvalidTokenInput(input, rc)) {
             return;
         }
         try {
@@ -1387,20 +1391,10 @@ private InputUtil.InputVal getTokenInputV1(RoutingContext rc) {
         return null;
     }
 
-    private boolean checkTokenInput(InputUtil.InputVal input, RoutingContext rc) {
-        if (input == null) {
-            ResponseUtil.ClientError(rc, "Required Parameter Missing: exactly one of email or email_hash must be specified");
-            return false;
-        } else if (!input.isValid()) {
-            ResponseUtil.ClientError(rc, "Invalid Identifier");
-            return false;
-        }
-        return true;
-    }
-
-    private boolean checkTokenInputV1(InputUtil.InputVal input, RoutingContext rc) {
+    private boolean checkForInvalidTokenInput(InputUtil.InputVal input, RoutingContext rc) {
         if (input == null) {
-            ResponseUtil.ClientError(rc, "Required Parameter Missing: exactly one of [email, email_hash, phone, phone_hash] must be specified");
+            String message = this.phoneSupport ? "Required Parameter Missing: exactly one of [email, email_hash, phone, phone_hash] must be specified" : "Required Parameter Missing: exactly one of email or email_hash must be specified";
+            ResponseUtil.ClientError(rc, message);
             return false;
         } else if (!input.isValid()) {
             ResponseUtil.ClientError(rc, "Invalid Identifier");

src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java

@@ -4162,6 +4162,34 @@ void cstgNoActiveKey(Vertx vertx, VertxTestContext testContext) throws NoSuchAlg
                 });
     }
 
+    @ParameterizedTest
+    @CsvSource({
+            "email_hash,random@unifiedid.com",
+            "phone_hash,1234567890",
+    })
+    void cstgInvalidInput(String identityType, String rawUID, Vertx vertx, VertxTestContext testContext) throws NoSuchAlgorithmException, InvalidKeyException {
+        setupCstgBackend("cstg.co.uk");
+        setupKeys(true);
+
+        JsonObject identity = new JsonObject();
+        identity.put(identityType, getSha256(rawUID) + getSha256(rawUID));
+        identity.put("optout_check", 1);
+        Tuple.Tuple2<JsonObject, SecretKey> data = createClientSideTokenGenerateRequestWithPayload(identity, Instant.now().toEpochMilli(), null);
+
+        sendCstg(vertx,
+                "v2/token/client-generate",
+                "http://cstg.co.uk",
+                data.getItem1(),
+                data.getItem2(),
+                400,
+                testContext,
+                respJson -> {
+                    assertFalse(respJson.containsKey("body"));
+                    assertEquals("Invalid Identifier", respJson.getString("message"));
+                    testContext.completeNow();
+                });
+    }
+
     private void assertAreClientSideGeneratedTokens(AdvertisingToken advertisingToken, RefreshToken refreshToken, int siteId, IdentityType identityType, String identity,
                                                     boolean expectClientSideTokenGenerateOptoutResponse) {
         assertAreClientSideGeneratedTokens(advertisingToken,